A Commentary on the Protection of Personal Information Act is a good legal textbook that lawyers and law students will find useful in raising their awareness about this very important topic that is about to become a big deal in South Africa. It has many positives (and a few limitations). It is a good first edition and I look forward to future editions commenting on how the interpretation and application of the Protection of Personal Information Act (POPIA) develops into the future. Legal practitioners and law students should buy it.

Data protection is going to be a big deal in South Africa

Data protection is an important and very topical issue around the world and indeed in South Africa too. In the information age where data is the new oil many of the key issues of our times revolve around balancing information rights.

  • Who gets access to information?
  • Who must protect what kinds of information?
  • When can it be intercepted?

These are all key questions of our age. Data protection law sets out the principles according to which personal data (just one kind of data) can be processed. Considering personal data is amongst all data, data protection law in a way sets out the principles according to which all data (not just personal data) can be processed. We all process data and therefore data protection is a key issue.

South Africa has historically not had data protection law until it enacted an umbrella data protection law in the form of POPIA. POPIA has taken a very long time to commence but at some point, it will and South Africans will be forced for the first time to get their heads around data protection as a topic and comply with the law.

Who will find it useful

  • Legal practitioners will increase their knowledge on data protection and be in a better position to assist their clients to comply with POPIA by reading this book.
  • Law students will get a good introduction to the topic of data protection and a greater understanding of POPIA by reading this book.

The many positives of a Commentary on the Protection of Personal Information Act

It is for this reason that a commentary on POPIA is welcomed. Anything that can help lawyers to improve their awareness on data protection law as it is enacted in South Africa is a good thing that must be celebrated. And there is much to be celebrated in this new book by Yvonne Burns and Ahmore Burger-Smidt.

It is the best legal textbook that I am aware of on POPIA at the moment.

This Commentary on the Protection of Personal Information Act has many positives.

  • It references the GDPR often which is a good thing because you cannot look at any data protection law in isolation – you have to look at it in a global context. Looking to European data protection law to help interpret POPIA is required. For example, in the preface, the authors mention that they have relied extensively on the GDPR.
  • It includes examples, questions, case summaries and key points in shaded boxes. This helps the reader understand POPIA and see how it would be applied. For example, on page 23 it sets out a scenario and applies the law to it. `
  • It has lots of footnotes that assist greatly in the commentary that it provides on POPIA.
  • From a style perspective, it is written in a relatively plain language which will certainly help the reader access the content. For example, it often uses bulleted lists to break up content and make it more accessible. It does however still use Latin phrases like “inter alia“.  South Africa has eleven official languages and Latin isn’t one of them.
  • It does not follow the structure of POPIA which is a good thing because the structure of POPIA itself does not easily enable someone to apply it. The authors explain the structure in the preface. At the same time, the structure of the book is quite strange to me. For example, the role players are dealt with after the conditions for lawful processing. You must know what role you play right up front because it is only the responsible party who must apply the conditions. The exemptions should also be dealt with upfront. If the reader’s organisation is exempt it would be useful to know this as soon as possible.
  • It has a very useful table of cases that will help lawyers to find relevant judgements that relate to a particular section of POPIA.

A few limitations

I have read many international books on data protection lately and unfortunately, many of them are very superficial, describe the problem only, use scare tactics and are not very useful. Many of them also have all the classic limitations of a legal textbook.

A Commentary on the Protection of Personal Information Act also has some of the problems or limitations that all legal textbooks have.

  • There are a few incomplete statements which are a bit misleading. For example, on page 52 it says that “consent is one of the most important requirements for the lawful processing of personal information”. POPIA is not consent driven and you can often process personal information lawfully without the data subject’s consent.
  • It is already outdated. For example, on page 11 dealing with the date of compliance with the POPI Act, there have been recent developments in this regard. It also does not take the California Consumer Privacy Act or the Indian Personal Data Protection Bill 2018 into account. There have also been recent developments on the Cybercrimes and Cybersecurity Bill.
  • It does not refer in detail to the PECR. It refers to the PECD, which is correct because that is what is currently in force but it will soon be replaced by the PECR which will alter the situation significantly. For example, on page 293 dealing with direct marketing, it does not adequately take the PECD or PECR into account.
  • It is not really suitable for in-house legal or compliance officers. It will assist lawyers, counsel and law students, but it does not go far enough for those trying to implement the measures required by the law in a practical and effective way. It does not go far enough in helping a responsible party to protect the personal data they process or process personal data lawfully. It is certainly not for the lay person. The cover of the book should make it clear who the intended audience is.
  • It often refers to Tolley’s Data Protection Handbook, which was published in 2006. Much has changed since then.

But it has many positives. It is a good first edition. Legal practitioners and law students should buy it.